I'm trying to deploy a static website on s3 bucket through bitbucket pipelines but getting Access Denied error on PutObject operation.
The bucket doesn't have public access, it serves through CloudFront distributions.
VERIFIED CHECKS:
{
  "Version": "2008-10-17",
  "Id": "PolicyForCloudFrontPrivateContent",
  "Statement": [
    {
      "Sid": "PublicReadGetObject",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <ID>"
      },
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:PutObjectAcl"
      ],
      "Resource": "arn:aws:s3:::qa.polarunicorn.com/*"
    }
  ]
}
bitbucket-pipelines.yml
image: node:10.15.3
pipelines:
custom:
qa:
- step:
name: QA - Install, test and build
caches:
- node
script:
- yarn
- yarn test
- yarn build:dev
artifacts:
- dist/**
- step:
name: QA - Deploy on S3
deployment: test
script:
- pipe: atlassian/aws-s3-deploy:0.3.7
variables:
AWS_ACCESS_KEY_ID: $AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY: $AWS_SECRET_ACCESS_KEY
AWS_DEFAULT_REGION: '$AWS_REGION_NAME'
S3_BUCKET: '$QA_BUCKET'
ACL: 'public-read'
LOCAL_PATH: 'dist'
DELETE_FLAG: 'true'
Pipeline's build status:
I find and tried all the possible solutions but not able to catch the actual issue here because everything looks good, as expected... ☹️
Hi @Gulshan kumar do you have any other Bucket ACLs, IAM Policies or Bucket Policies configured? Does the IAM user owns the bucket and/or objects that you try to update?
Thanks for the update @Alexander Zhukov and I just found the issue and it requires a minor change, just needs to update the ACL value in the bitbucket-pipelines.yml as:
ACL: 'bucket-owner-full-control'
and earlier, I was using
ACL: 'public-read'
(check in the question above)
---
All the valid values are:
private | public-read | public-read-write | authenticated-read | bucket-owner-read | bucket-owner-full-control | private
Default: private
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Is there any way it can mistakenly update all my buckets?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
 
 
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.